Privacy, Data Protection & Record-keeping Policy
I am committed to offering a safe, respectful and confidential therapeutic space. This policy explains how your personal information is collected, used and protected in line with the Data Protection Act 2018, GDPR, and the BACP Ethical Framework. I am registered with the Information Commissioner’s Office as a data controller: Registration number: ZB503431
My intention is to be transparent about how your information is handled and to ensure it is treated with care, dignity and professionalism.
1. What information I collect
To provide safe and effective therapy, I collect only the information necessary for our work together, including:
your name and contact details
your GP or emergency contact information
relevant background or health information you choose to share
brief, factual therapy notes recorded under an anonymous identifying code
email or text correspondence relating to appointments or therapy
I do not use your information for marketing or share it with third parties for commercial purposes.
2. How your information is stored
Your information is stored securely in the following ways:
Contact details
Held separately from therapy notes in encrypted or password-protected digital form.
Therapy notes
Recorded under an anonymous code (not your name).
Contain brief factual information to support safe therapeutic practice.
Stored securely and separately from personal data.
Digital communication
Emails and text messages may be held on password-protected devices with up-to-date security software.
Paper records (if any)
Kept in a locked cabinet.
Only I have access to these records unless required by law or ethical obligations.
3. How long your information is kept
In accordance with professional and legal guidance:
Therapy notes: kept for 7 years after therapy ends
Contact details: kept for up to 3 years after therapy ends
Emails/texts relating to therapy: may be retained for the same duration as notes
After these periods, all data is securely destroyed or deleted.
4. Confidentiality
Everything shared in therapy is confidential, except in the following circumstances:
Clinical supervision
I discuss my work with a qualified supervisor as part of ethical practice. Your identity is protected and no identifying details are shared.
Risk of serious harm
If I believe you or someone else is at immediate risk of serious harm, I may need to contact appropriate services.
Legal requirements
I may be required to share information in cases involving:
safeguarding of children or vulnerable adults
terrorism or serious crime
court orders or legal directives
Wherever possible, I will discuss this with you first.
Unexpected incapacity
Your contact details may be shared with an appointed professional solely to inform you should I become unable to continue practising.
5. Your rights
Under GDPR, you have the right to:
access a copy of the information I hold about you
request corrections to inaccurate information
request deletion of your data (in certain circumstances)
object to how your information is used
request the transfer of your data to another provider
raise concerns about data handling
Requests must be made in writing and may take up to 30 days to process.
6. Digital safety
I take steps to protect your information through:
password-protected devices
updated firewalls and security software
secure digital storage
encrypted communication where appropriate
secure disposal of old records
If you choose to share personal information by email or text, I will assume you are aware of the associated risks and have made an informed choice.
Email and text should not be used for emergencies.
7. Questions or concerns
If you have any questions about this policy or the way your information is used, you are welcome to discuss it with me at any time.
If you have concerns that cannot be resolved directly with me, you may contact:
The Information Commissioner’s Office (ICO)
The British Association for Counselling and Psychotherapy (BACP)